Example 6 with AuthorizeCallback
use of javax.security.sasl.AuthorizeCallback in project lobcder by skoulouzis.
the class LdapConnection method _handleRequest.
protected void _handleRequest(byte[] inbuf, int offset) throws IOException {
// dumpBer(inbuf, offset);
BerDecoder reqBer = new BerDecoder(inbuf, 0, offset);
int currentMessageId = 0;
try {
reqBer.parseSeq(null);
currentMessageId = reqBer.parseInt();
int requestOperation = reqBer.peekByte();
if (requestOperation == Ldap.LDAP_REQ_BIND) {
reqBer.parseSeq(null);
responseHandler.setVersion(reqBer.parseInt());
userName = reqBer.parseString(responseHandler.isLdapV3());
log.info("Bind user name: " + userName);
if (reqBer.peekByte() == (Ber.ASN_CONTEXT | Ber.ASN_CONSTRUCTOR | 3)) {
// SASL authentication
reqBer.parseSeq(null);
// Get mechanism, usually DIGEST-MD5
String mechanism = reqBer.parseString(responseHandler.isLdapV3());
byte[] serverResponse;
CallbackHandler callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
// look for username in callbacks
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
userName = ((NameCallback) callback).getDefaultName();
// get password from session pool
password = userFactory.getUserPassword(userName);
}
}
// handle other callbacks
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
((AuthorizeCallback) callback).setAuthorized(true);
} else if (callback instanceof PasswordCallback) {
if (password != null) {
((PasswordCallback) callback).setPassword(password.toCharArray());
}
}
}
}
};
int status;
if (reqBer.bytesLeft() > 0 && saslServer != null) {
byte[] clientResponse = reqBer.parseOctetString(Ber.ASN_OCTET_STR, null);
serverResponse = saslServer.evaluateResponse(clientResponse);
status = Ldap.LDAP_SUCCESS;
LogUtils.debug(log, "LOG_LDAP_REQ_BIND_USER", currentMessageId, userName);
user = userFactory.getUser(userName, password);
if (user != null) {
LogUtils.debug(log, "LOG_LDAP_REQ_BIND_SUCCESS");
} else {
LogUtils.debug(log, "LOG_LDAP_REQ_BIND", "No user! " + userName);
}
} else {
Map<String, String> properties = new HashMap<String, String>();
properties.put("javax.security.sasl.qop", "auth,auth-int");
saslServer = Sasl.createSaslServer(mechanism, "ldap", client.getLocalAddress().getHostAddress(), properties, callbackHandler);
serverResponse = saslServer.evaluateResponse(EMPTY_BYTE_ARRAY);
status = Ldap.LDAP_SASL_BIND_IN_PROGRESS;
}
responseHandler.sendBindResponse(currentMessageId, status, serverResponse);
} else {
password = reqBer.parseStringWithTag(Ber.ASN_CONTEXT, responseHandler.isLdapV3(), null);
if (userName.length() > 0 && password.length() > 0) {
log.debug("LOG_LDAP_REQ_BIND_USER", currentMessageId, userName);
try {
user = userFactory.getUser(userName, password);
LogUtils.debug(log, "LOG_LDAP_REQ_BIND_SUCCESS");
responseHandler.sendClient(currentMessageId, Ldap.LDAP_REP_BIND, Ldap.LDAP_SUCCESS, "");
} catch (IOException e) {
LogUtils.debug(log, "LOG_LDAP_REQ_BIND_INVALID_CREDENTIALS");
responseHandler.sendClient(currentMessageId, Ldap.LDAP_REP_BIND, Ldap.LDAP_INVALID_CREDENTIALS, "");
}
} else {
LogUtils.debug(log, "LOG_LDAP_REQ_BIND_ANONYMOUS", currentMessageId);
// anonymous bind
responseHandler.sendClient(currentMessageId, Ldap.LDAP_REP_BIND, Ldap.LDAP_SUCCESS, "");
}
}
} else if (requestOperation == Ldap.LDAP_REQ_UNBIND) {
log.debug("LOG_LDAP_REQ_UNBIND", currentMessageId);
if (user != null) {
user = null;
}
} else if (requestOperation == Ldap.LDAP_REQ_SEARCH) {
reqBer.parseSeq(null);
String dn = reqBer.parseString(responseHandler.isLdapV3());
log.info("Parsed DN: " + dn);
int scope = reqBer.parseEnumeration();
/*
* int derefAliases =
*/
reqBer.parseEnumeration();
int sizeLimit = reqBer.parseInt();
if (sizeLimit > 100 || sizeLimit == 0) {
sizeLimit = 100;
}
int timelimit = reqBer.parseInt();
/*
* boolean typesOnly =
*/
reqBer.parseBoolean();
LdapFilter ldapFilter = ldapParser.parseFilter(reqBer, user, userName);
Set<String> returningAttributes = ldapParser.parseReturningAttributes(reqBer);
SearchRunnable searchRunnable = new SearchRunnable(userFactory, propertyMapper, currentMessageId, dn, scope, sizeLimit, timelimit, ldapFilter, returningAttributes, responseHandler, user, searchManager);
if (Ldap.BASE_CONTEXT.equalsIgnoreCase(dn) || Ldap.OD_USER_CONTEXT.equalsIgnoreCase(dn) || Ldap.OD_USER_CONTEXT_LION.equalsIgnoreCase(dn)) {
// launch search in a separate thread
searchManager.beginAsyncSearch(this, currentMessageId, searchRunnable);
} else {
// no need to create a separate thread, just run
searchManager.search(this, searchRunnable);
}
} else if (requestOperation == Ldap.LDAP_REQ_ABANDON) {
searchManager.abandonSearch(this, currentMessageId, reqBer);
} else {
LogUtils.debug(log, "LOG_LDAP_UNSUPPORTED_OPERATION", requestOperation);
responseHandler.sendClient(currentMessageId, Ldap.LDAP_REP_RESULT, Ldap.LDAP_OTHER, "Unsupported operation");
}
} catch (IOException e) {
responseHandler.dumpBer(inbuf, offset);
try {
responseHandler.sendErr(currentMessageId, Ldap.LDAP_REP_RESULT, e);
} catch (IOException e2) {
log.debug("LOG_EXCEPTION_SENDING_ERROR_TO_CLIENT", e2);
}
throw e;
}
}
Also used :
HashMap(java.util.HashMap)
BerDecoder(com.sun.jndi.ldap.BerDecoder)
IOException(java.io.IOException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Example 7 with AuthorizeCallback
use of javax.security.sasl.AuthorizeCallback in project activemq-artemis by apache.
the class GSSAPIServerSASL method processSASL.
@Override
public byte[] processSASL(byte[] bytes) {
try {
if (jaasId == null) {
// populate subject with acceptor private credentials
LoginContext loginContext = new LoginContext(loginConfigScope);
loginContext.login();
jaasId = loginContext.getSubject();
}
if (saslServer == null) {
saslServer = Subject.doAs(jaasId, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(NAME, null, null, new HashMap<String, String>(), new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
// only ok to authenticate as self
authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID()));
}
}
}
}));
}
byte[] challenge = Subject.doAs(jaasId, (PrivilegedExceptionAction<byte[]>) () -> saslServer.evaluateResponse(bytes));
if (saslServer.isComplete()) {
result = new PrincipalSASLResult(true, new KerberosPrincipal(saslServer.getAuthorizationID()));
}
return challenge;
} catch (Exception outOfHere) {
log.info("Error on sasl input: " + outOfHere.toString(), outOfHere);
result = new PrincipalSASLResult(false, null);
}
return null;
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
LoginContext(javax.security.auth.login.LoginContext)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
HashMap(java.util.HashMap)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
SaslException(javax.security.sasl.SaslException)
Example 8 with AuthorizeCallback
use of javax.security.sasl.AuthorizeCallback in project storm by apache.
the class SaslPlainServer method evaluateResponse.
@Override
public byte[] evaluateResponse(byte[] response) throws SaslException {
if (completed) {
throw new IllegalStateException("PLAIN authentication has completed");
}
if (response == null) {
throw new IllegalArgumentException("Received null response");
}
try {
String payload;
try {
payload = new String(response, "UTF-8");
} catch (Exception e) {
throw new IllegalArgumentException("Received corrupt response", e);
}
// [ authz, authn, password ]
String[] parts = payload.split("\u0000", 3);
if (parts.length != 3) {
throw new IllegalArgumentException("Received corrupt response");
}
if (parts[0].isEmpty()) {
// authz = authn
parts[0] = parts[1];
}
NameCallback nc = new NameCallback("SASL PLAIN");
nc.setName(parts[1]);
PasswordCallback pc = new PasswordCallback("SASL PLAIN", false);
pc.setPassword(parts[2].toCharArray());
AuthorizeCallback ac = new AuthorizeCallback(parts[1], parts[0]);
cbh.handle(new Callback[] { nc, pc, ac });
if (ac.isAuthorized()) {
authz = ac.getAuthorizedID();
}
} catch (Exception e) {
throw new SaslException("PLAIN auth failed: " + e.toString(), e);
} finally {
completed = true;
}
return null;
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
SaslException(javax.security.sasl.SaslException)
SaslException(javax.security.sasl.SaslException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Example 9 with AuthorizeCallback
use of javax.security.sasl.AuthorizeCallback in project storm by apache.
the class ServerCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
NameCallback nc = null;
PasswordCallback pc = null;
AuthorizeCallback ac = null;
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
ac = (AuthorizeCallback) callback;
} else if (callback instanceof NameCallback) {
nc = (NameCallback) callback;
} else if (callback instanceof PasswordCallback) {
pc = (PasswordCallback) callback;
} else if (callback instanceof RealmCallback) {
// Ignored...
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized SASL Callback");
}
}
String userName = "UNKNOWN";
if (nc != null) {
LOG.debug("handleNameCallback");
userName = nc.getDefaultName();
nc.setName(nc.getDefaultName());
}
if (pc != null) {
LOG.error("No password found for user: {}, validate klist matches jaas conf", userName);
}
if (ac != null) {
String authenticationId = ac.getAuthenticationID();
LOG.debug("Successfully authenticated client: authenticationID={} authorizationID= {}", authenticationId, ac.getAuthorizationID());
// if authorizationId is not set, set it to authenticationId.
if (ac.getAuthorizationID() == null) {
ac.setAuthorizedID(authenticationId);
}
// add the authNid as the real user in reqContext's subject which will be used during authorization.
if (!ac.getAuthenticationID().equals(ac.getAuthorizationID())) {
if (!impersonationAllowed) {
throw new IllegalArgumentException(ac.getAuthenticationID() + " attempting to impersonate " + ac.getAuthorizationID() + ". This is not allowed by this server.");
}
ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(ac.getAuthenticationID()));
} else {
ReqContext.context().setRealPrincipal(null);
}
ac.setAuthorized(true);
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
RealmCallback(javax.security.sasl.RealmCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SaslTransportPlugin(org.apache.storm.security.auth.sasl.SaslTransportPlugin)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
RealmCallback(javax.security.sasl.RealmCallback)
Example 10 with AuthorizeCallback
use of javax.security.sasl.AuthorizeCallback in project storm by apache.
the class SimpleSaslClientCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
for (Callback c : callbacks) {
if (c instanceof NameCallback) {
NameCallback nc = (NameCallback) c;
nc.setName(username);
} else if (c instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback) c;
if (password != null) {
pc.setPassword(password.toCharArray());
}
} else if (c instanceof AuthorizeCallback) {
AuthorizeCallback ac = (AuthorizeCallback) c;
String authid = ac.getAuthenticationID();
String authzid = ac.getAuthorizationID();
if (authid.equals(authzid)) {
ac.setAuthorized(true);
} else {
ac.setAuthorized(false);
}
if (ac.isAuthorized()) {
ac.setAuthorizedID(authzid);
}
} else if (c instanceof RealmCallback) {
RealmCallback rc = (RealmCallback) c;
((RealmCallback) c).setText(rc.getDefaultText());
} else {
throw new UnsupportedCallbackException(c);
}
}
}
Also used :
RealmCallback(javax.security.sasl.RealmCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
NameCallback(javax.security.auth.callback.NameCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
RealmCallback(javax.security.sasl.RealmCallback)
Aggregations
AuthorizeCallback (javax.security.sasl.AuthorizeCallback)36
Callback (javax.security.auth.callback.Callback)29
NameCallback (javax.security.auth.callback.NameCallback)28
PasswordCallback (javax.security.auth.callback.PasswordCallback)26
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)26
RealmCallback (javax.security.sasl.RealmCallback)16
IOException (java.io.IOException)12
SaslException (javax.security.sasl.SaslException)9
HashMap (java.util.HashMap)5
Map (java.util.Map)5
SaslServer (javax.security.sasl.SaslServer)3
TProtocolFactory (org.apache.thrift.protocol.TProtocolFactory)3
TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)3
TTransportFactory (org.apache.thrift.transport.TTransportFactory)3
InetAddress (java.net.InetAddress)2
InetSocketAddress (java.net.InetSocketAddress)2
ArrayDeque (java.util.ArrayDeque)2
List (java.util.List)2
ExecutorService (java.util.concurrent.ExecutorService)2
LinkedBlockingQueue (java.util.concurrent.LinkedBlockingQueue)2
